Only five months in, 2011 has already been labeled "an online consumer's worst nightmare" by New York Times columnist Nick Bilton. A number of high profile cyber attacks have exposed consumers' personal data to criminals and left corporations scrambling to fix security breaches and reassure customers.
While criminal hackers may be responsible for wreaking havoc on the Internet, a growing group of professionals known as ethical hackers or penetration testers is fighting back. Ethical hackers are hired by big-business clients to penetrate their computer networks in order to expose flaws in the security apparatus.
Penetration testing on the rise
January 10, 2011: Cyber criminals infiltrate the EU carbon trading market and steal approximately 7 million Euros worth of emissions permits, according to Reuters.
Ethical hacking is a hot job that is poised to take off as security threats appear to outpace both governmental regulation and corporate IT innovations. To protect themselves from criminal hackers, organizations are turning to ethical professionals who think and act like their black-market counterparts.
An index published in March by Robert Half Technology indicates that IT security professionals should be in great demand during the second quarter of 2011. That demand is a response to what companies and individuals are identifying as increasing threats to online security, even as Americans increasingly use the Internet to transmit personal data.
The Trustwave 2011 Global Security Report declared that "malicious tools" used by cyber criminals "became more customized, covert, automated and persistent" over the course of 2010. The sheer number of users makes computer networks a goldmine for criminals. Recent staggering jackpots include the 12 million credit and debit card numbers exposed to hackers who compromised the Sony PlayStation online network in April.
Regulation of corporate information security could create job opportunity
February 5, 2011: The Wall Street Journal reports that hackers breached the NASDAQ Stock Market computer network, and USA Today later reports they may have accessed confidential financial information of over 175 organizations.
Penetration testers and other computer security specialists are sought after by companies seeking to safeguard their profits and the trust of their customers. Furthermore, companies might soon be scrambling for security pros to spare them from government-imposed penalties. According to The New York Times, federal oversight of corporate computer security is currently lax but might be tightening. Congress is mulling legislation that would regulate the ways in which companies collect and store customer information and make the corporations liable if this information falls into criminal hands. While companies have successfully lobbied against such legislation in the past, the outcry following incidents like the Sony hack might change the political calculus on this issue.
Career outlook for IT security professionals
March 2, 2011: Network World reports that after Google discovered 21 of their mobile apps were malicious software designed to steal information from users, they removed these apps from the Android Market and 50,000 possibly infected devices.
The U.S. Bureau of Labor Statistics (BLS) predicts an astonishing 53 percent growth rate from 2008 to 2018 for network systems and data communications analysts, of which penetration testers are a subgroup. In the short-term, 13 percent of executives polled for the Robert Half report said that they will be looking to hire security specialists in 2011, tying it with networking as the IT function in greatest demand right now. Robert Half Technology reports that salaries for chief security officers ranged from $118,500-$173,000 in 2009. They also report the following salary ranges for security jobs:
- Data security analyst: $84,000 to $114,500
- Systems security administrator: $81,500 to $112,500
- Network security administrator: $81,000 to 111,250
- Information systems security manager: $99,500 to $137,750
Penetration testers need business and technical skills
March 3, 2011: 18 million blogs are down for hours when a denial-of-service attack targets the WordPress hosting service.
Billy Austin, chief security officer for penetration testing provider Saint Corp., told Certification Magazine that a penetration tester must possess a working knowledge of communications and protocol stacks, common operating systems, network components and programming languages such as PEARL.
In addition to technical know-how, penetration testers need to possess a solid understanding of business fundamentals. Dennis Kuntz, Sr. Director of Security and Architecture at Market America, says penetration testers "who understand where security fits in the context of business" will be in high demand, as they are able to "understand what the business' goals are and align security with that."
Mike Murray, Managing Partner at MAD Security and The Hacker Academy, agrees: "If you show an ignorance of business, all your other points are weakened," Murray said. "There's no position that doesn't benefit from great writing, great speaking. [Penetration testers] could be in a room with programmers, network administrators, database administrators . . . [and] have to communicate with all of them."
What it takes to be a penetration tester
April 8, 2011: Forbes reports a massive number of consumers' e-mail addresses and names were accessed by criminals who hacked Epsilon, a marketing company that sends upwards of 40 billion e-mails annually for clients such as Citibank, Best Buy and Walgreen's.
There are many credentials that a professional penetration tester can acquire, such as the Certified Ethical Hacker certification. Kuntz says that the most valuable certifications indicate practical proficiency and are usually issued after extensive simulations of penetration tests that model real-world situations. Some of these certifications are earned by completing intensive 24 or 48-hour hands-on tests.
According to Murray, certifications that are earned through reading a lot of material or that are too narrowly focused are less valuable. "You can't learn how to use a hammer and think that means you know how to build a house," he said, stressing penetration tester education and certification should be about "walking you through each step of what you do in a penetration test."
Groups like the PCI Security Standards Council are pushing for standardized, mandated measures to protect consumer information, which could lead to more penetration testing training centers and expanded curricula. And because computer security systems--and the nefarious methods for getting around them--change so quickly, keeping up to date with the latest technological advancements is crucial to doing great work in this very hot job.
"The one constant in security is change," Murray said. "Information security is one of the hardest industries to have a long-term career in," due to the pressing need to always be "on the front edge of whatever technology curve there is."